just another infosec blog

Fuzzing – CTF primer

Fuzz testing or fuzzing is a technique commonly used in software testing to find how software responds to invalid, unexpected or random data. The targeted software may fail, give unexpected output or misbehave processing the randomized input data. Input that leads to such situations is then addressed and rectified.

The term fuzz testing originates from a 1988 class project testing the reliability of Unix programs by bombarding them with random data until they crashed. As the years passed on new techniques emerged and crashing software isn’t lo longer the main goal – nowadays it’s used for finding defects.

Fuzz testing isn’t only a technique to find defects with intention to make better software. Even hackers has found their use of this technique. The main approach is the same – hit a target with random data to see how it react.

Today we’ll be looking at a tool called Wfuzz and we’ll do so by applying it to a well-known CTF game!

Wfuzz – Web application Bruteforcer

There are many fuzzers available on the market, both free and commercial. One such free fuzzer is Wfuzz – a CLI tool designed for bruteforcing web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc), bruteforce forms parameters (User/Password), fuzzing, etc. It’s a handy tool to know.

Basic usage

Help

If you are completely new to this tool I advice you to seek out the help section. You can do so by issuing the following command:

$ wfuzz -h

As you’ll notice the help section is a bit massive. Below is an overview of the options I use the most:

Option

Description

-c

Colored output

-t

Concurrent connections

-s

Time delay between connections

-z

Payload

-w

Wordlist

-d

Postdata

-H

Headers

–hc/hl/hw/hh

Filter/hide responses with the specified code/lines/words/chars

–sc/sl/sw/sh

Filter/show responses with the specified code/lines/words/chars

–html

Discovering hidden resources

Wfuzz is a great tool for finding hidden resources on a web server. Here we’ll try to discover hidden resources (scripts, directories etc) on target_site using a path list (file) as input. The path list I am using is custom-made and contains some keywords related to well-known URL paths. Wfuzz will read the input line by line and insert the read value into wherever we put the “FUZZ” keyword and then fire off a request to said path. In the following command I have added a filter to remove any requests resulting in an HTTP 404.

$ wfuzz -c --hc 404 -z file,url_paths.txt http://target_ip/FUZZ

Aimed at one of my test machines this command yields the following:

As we can see the web server returns HTTP 500 in some cases. Interesting!

POST requests

So we made a nice discovery using the last command. Moving on we can also manipulate POST requests. In the following example I am reusing the same target IP on a different machine. The following is a command to bruteforce WordPress login for the Mr. Robot 1 Vulnhub CTF game:

Consuming large dictionaries as what is offered in the Mr. Robot 1 game requires a lot of requests. This means it’ll be noisy and it’ll takes forever to complete. For this example I’ve just sorted the dictionary and removed duplicates to speed things up a bit.

Headers

Moving on to the last example. It is also possible to work with the HTTP headers directly. In this example I’ll try to uncover if the Mr. Robot 1 server responds to other host domain names:

In this example I am using a small list of domain names I’ve concocted and I expect it to fail. I would’ve also tried to fuzz a cookie but I decided not to since the same theory applies to this scenario – just apply the FUZZ keyword where you need it. The command yields:

Nothing interesting found.

Wfuzz example gallery

I’ve made a gallery of the screenshots listed in case you can’t see the outputs properly. Just click on the screenshots and they should pop up in larger format.

Wfuzz help text

Wfuzz path discovery

Wfuzz password bruteforcing

Wfuzz header fuzzing

Conclusion

Wfuzz is a handy tool. My peek into this marvelous tool only scratches the surface of what’s possible. From here you could easily extend and build new commands. For instance, what about trying to add more payloads into the equation?